Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.
- Vulnerability ID: OTF-006
- Vulnerability type: Broken Website Hardening Control
- Threat level: Low
Description:
The CSP can be turned on or off but not configured for the specific needs of the website.
Technical description:
The website mode of the application allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images.
If CSP were configurable, the website creator could harden it accordingly to the needs of the application.
As this issue correlates with the Github issue for exposing the flask application directly (https://github.com/onionshare/ onionshare/issues/1389), it can be assumed that this can be solved by either changing to a well-known webserver, which supports this kind of configuration, or enhancing the status quo by making the CSP a configurable part of each website.
We believe that bundling the nginx or apache webserver would add complexity and dependencies to the application that could result in a larger attack surface - as these packages receive regular security updates. On the other hand it is not recommended to directly expose the flask webserver, due to lack of hardening. This is a trade-off which needs to be evaluated by the Onionshare developers, as multiple features are involved. Ideally the application user could choose between the built-in flask webserver or a system webserver of choice.
Impact:
As this is a general weakness and not a direct vulnerability in the Onionshare application, the direct impact of this issue is rather low.
Recommendation:
- Consider offering a configurable webserver choice
- Consider configurable CSP
References
Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.
Description:
The CSP can be turned on or off but not configured for the specific needs of the website.
Technical description:
The website mode of the application allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images.
If CSP were configurable, the website creator could harden it accordingly to the needs of the application.
As this issue correlates with the Github issue for exposing the flask application directly (https://github.com/onionshare/ onionshare/issues/1389), it can be assumed that this can be solved by either changing to a well-known webserver, which supports this kind of configuration, or enhancing the status quo by making the CSP a configurable part of each website.
We believe that bundling the nginx or apache webserver would add complexity and dependencies to the application that could result in a larger attack surface - as these packages receive regular security updates. On the other hand it is not recommended to directly expose the flask webserver, due to lack of hardening. This is a trade-off which needs to be evaluated by the Onionshare developers, as multiple features are involved. Ideally the application user could choose between the built-in flask webserver or a system webserver of choice.
Impact:
As this is a general weakness and not a direct vulnerability in the Onionshare application, the direct impact of this issue is rather low.
Recommendation:
References